New assurance standard required for cloud confidence

One of the perceived inhibitors in the uptake of cloud computing, particularly...

One of the perceived inhibitors in the uptake of cloud computing, particularly into the delivery of enterprise systems, is a need for assurance that there are controls operating to protect the confidentiality, integrity and availability of data and of their systems. Currently, recognised assurance standards do not fully address the wider requirements that cloud services bring.

As with all change, there is risk. The adoption of cloud computing is no different. For those considering outsourcing for the first time, the major new risk is that they are no longer in control of their operations, yet remain accountable.

For those who already outsource, they additionally need to consider security and privacy in a multi-tenancy environment, as well as potential platform lock-in.

Third-party reporting standards have been developed to provide one independent report on the design and operation of controls that satisfies most of the assurance requirements needed, thereby avoiding the cost and operational impact of multiple audits. However, these are mainly focused on financial reporting. How can cloud users gain assurance that all of their risks are being managed?

The challenge is to find standards that will enable assurance to be provided that is acceptable to user organisations and accepted by the service providers.

Not only should this help meet user needs to manage risk, it may also help to overcome the obstacle facing service providers in persuading clients to adopt and expand their cloud offerings.

While there are a number of standards that provide the basis of assurance, none of them cover all the elements related to cloud computing:

SAS 70 and its successors

The most widely recognised standard globally for service organisations in providing assurance is the AICPA's SAS 70. This is being replaced by a new global standard ISAE 3402 and its US equivalent SSAE 16. However, these standards focus on financial reporting requirements and therefore are not fully appropriate in meeting assurance needs over many cloud offerings in the areas of Infrastructure, Platform or Software as a Service.

Trust services

These services (Webtrust and Systrust) address security, continuity, processing integrity and confidentiality and are more aligned with the technical aspects of many of the cloud services provided. As such, they help address "gaps" which ISAE 3402/SSAE 16 are not designed to cover.

Cloud industry standards

Recognising the need to provide confidence to users, the cloud industry itself is developing its own standards. However, the potential issues with this are a) How rigorous are the requirements? and b) how independent is the assurance?

A new global standard, acceptable to users from breadth of coverage and from rigour in requirements and independent attestation, is required. This would also need to be accepted by service providers. We consider that this is likely to be based on the general 'International Standard on Assurance Engagements' (ISAE) 3000, Assurance Engagements Other than Audits or Reviews of Historical Financial Information that incorporates relevant areas from ISAE 3402/SSAE 16 and Trust Services.

This should help enable the wider adoption of cloud services and address the needs of both service organisations in providing confidence to users and to the users that their business risks are being managed appropriately.

Seamus Reilly, CISSP, is director of IT risk advisory at Ernst & Young

Read more on IT risk management